Main menu

Post navigation

Now, this Domain Hijacking is getting funky … [Updated]

So, about 24 horus ago I noticed that my DNS servers for my Domain uu.org were pointing to some external provider instead of my own boxes. I initially thought Network Solutions (NSI) fucked something up and got really pissed as their support website refused to work, creating an error message instead of a ticket.

Further investigation now let me believe that someone really is trying to steal my domain — i. e. on purpose. As I had to discover earlier today, another of my domains, 42.to, was forcefully reconfigured as well, now pointing to nameservers ns43.domaincontrol.com and ns44.domaincontrol.com instead of mine. What’s more, the MX was repointed as well, now delivering *my* emails to smtp.asia.secureserver.net and mailstore1.asia.secureserver — as 42.to was used as the email address with NSI, this most likely is how “they” got administrative access to uu.org domain entries (NSI allows to retrieve one’s ID and with the ID one can ask for a password reset link sent by … email).

What’s odd is that GoDaddy seems to be playing an active role here, as both domaincontrol.com and secureserver.netare registered to:

With reference to your recent enquiry, we must inform you that the registration of 42.to expired 2012-06-16. Remaining unpaid this was deleted one month later.

Checking my mailbox, it seems that I haven’t received any expiry notifications from TONIC after the renewal in 2007; most likely this summer I forgot to check on 42.to when renewing uu.org (it’s due on a similar timeframe).
Fu^WUnfortuinate, but, well, 50 USD/year was quite a high price for a domain I barely used anyway (initially as secondary domain for uu.org nameservers, the last live server in that domain went out of business in 2009; actually, no real loss). Oddly enough, it took until 2012-10-27 for someone to grab it, and www.42.to now points to GoDaddy IP space (173.201.238.128), returning a forbidden/404 when accessing it.

So, no takeover there; but I still wonder if it’s a coincidence that the mail address wusel@42.to was used in the records for uu.org (and now ends up somewhere in GoDaddy/Special Domain Services land) and that uu.org was DNS changed yesterday.

By another coincidence, according to my mailbox, NSI did send me (to wusel@42.to) the “Action Required: Notice Regarding Your Domain Name(s)” email on behalf of ICANN usually between end of October and late November — maybe that was the trigger?